I’ve long sang the praises of PGP for secure email and data storage.

The question is: how do I send secure email from a computer where I can’t install any programs?

The answer: PGP on a USB drive!*

The method below will allow you to use all of the GnuPG functions without installing anything on the host computer. In fact, besides file access, there are no any traces that GnuPG was in use.


Ingredients:

- empty, formatted USB drive >128MB – the faster, the better!

- GnuPG 1.4.9 Windows binary – http://www.gnupg.org/download/

- GPGShell 3.73 – http://www.jumaros.de/rsoft/index.html

- Copy2USB 1.05 – http://www.jumaros.de/rsoft/download/Copy2Usb.exe.gpg

- FireFox Portable – http://portableapps.com/apps/internet/firefox_portable

- FireGPG – http://getfiregpg.org/s/home (after FireFox Portable installed)

- SHA1sum – ftp://ftp.gnupg.org/GnuPG/binary/


Directions:

0) Use SHA1sum to check the integrity of the files you downloaded.

1) Install GPGShell on your computer. Install GnuPG in the GPGShell directory. This does not give the cleanest installation but makes everything much easier.

2) Use GnuPG (or some other PGP program) to extract Copy2USB. (Hint: use the decrypt function.)

3) Run Copy2USB. It should be fairly self explanatory. The target directory is a folder on the USB drive.

4) Test the install! Try opening GPGtray and accessing the key manager. If successful go to a command line and check the version “gpg –version” If the home directory is point at C:\Documents and Settings\… then you will need to reset the home folder. This can be done from the gpgconfig program.

Note: Use a fast USB drive. Otherwise, it will seem as if the very paws of Slowcat himself are haplessly fumbling with your instructions.

5) Install FirefoxPortable on the USB drive. Set it up however you like.

6) Install FireGPG as an extension. It may complain about an old library, I haven’t found a way to solve that. However, everything seems to work out fine in the end.

6a) Disable the Gmail integration. At the very least, test it before you rely on it. It doesn’t seem to work properly.

6b) Set the paths. Specify the path to the GPG exectuble. Add a command line option to set the home directory to the proper place on the USB drive. %CD%\..\.. will help here to start the path in your current directory and then go up a couple levels. Not particularly elegant but it works!

7) Test integration with FirefoxPortable. Start GPGTray and create a new keypair. Make the passphrase STRONG! A sentence that is easy for you to remember and difficult for someone to guess is ideal. Throw in some l33t or dirty words. Close the key manager and open the key manager from within FireGPG. If you can see the key, you’ve done things correctly!


Use: Gmail Example

0) Create a new keypair called “Test”. Set the passphrase to something very simple.

1) Open FirefoxPortable. Login to your Gmail account and type a message into the body of the email.

2) Select the entire plaintext message and right click. Choose FireGPG->Encrypt and Sign. In this example. you will encrypt the message with Test’s public key and sign with your private key. You will be asked to enter your passphrase for the private key.

3) Paste the entire PGP message block including headers into the body of the email. You will want to either paste over or delete the plaintext. Send the email to yourself.

4) To decrypt the cyphertext you just sent to yourself, select the cyphertext and right click. Choose FireGPG->Decrypt. You will then be asked to enter the passphrase for the Test private key. If successful, a new window should open up revealing the original message you typed.


Key Points:

1) To Send: Encrypt with the recipient’s public key. Sign with your private key using your passphrase.

2) To Read: Decrypt with your private key using your passphrase.

Of course, you cannot encrypt a message if you don’t know a person’s public key. To find someone’s public key, you can either have them give it to you (via email, paper, telepathy, etc.) or you can search for it on a keyserver like cryptonomicon.mit.edu.